Nearly 1 in 5 ransomware attacks led to a lawsuit in 2023

According to data collated by Comparitech researchers, almost 1 in 5 ransomware attacks led to a lawsuit in 2023. Over the past couple of years, lawsuits filed following ransomware attacks have increased, with the overall average over the last five years standing at 12 percent.

Across just over 3,000 confirmed* ransomware attacks, 355 lawsuits have been filed. Of the cases that have been completed (228 in total), 59 percent of these were successful, e.g. led to a data breach settlement, resulted in the company being fined for failing to safeguard systems and/or data, or were settled through mediation/out of court. A further 57 (25 percent) led to voluntary dismissals by the plaintiffs. This could suggest out-of-court settlements were reached in these cases, too.

Just 25 cases (11 percent) were dismissed by judges.

In 112 cases, settlement figures were provided. These figures totaled over $245 million with the average settlement being $2.2 million. 2023 saw an average settlement figure of nearly $2.1 million.

In addition to these, organizations have been hit with nearly $10 million worth of penalties. These penalties tend to be enforced due to company failures before, during, or after a ransomware attack. For example, SEC fined Blackbaud $3 million for “making misleading disclosures” about its 2020 attack, while Green Ridge Behavioral Health LLC was recently fined $40,000 by the United States Department of Health and Human Services for failing to comply with HIPAA rules. This included not having appropriate security measures in place.

Attacks in 2023 have seen a record-breaking 123 lawsuits being filed–so far.

*Confirmed attacks are those that are verified through cyber attack/data breach notifications, for example. They do not include unsubstantiated claims made by ransomware groups via data leak sites.

Key findings

From 2018 to the end of March 2024:

  • 355 lawsuits filed following 3,002 ransomware attacks–12 percent
  • 228 lawsuits have been completed. Of these:
    • 134 were successful (59%)
    • 12 were settled out of court through arbitration, e.g. mediation (5%)
    • 25 were dismissed (11%)
    • 57 were voluntarily dismissed by the plaintiff (25%)
  • $245,083,162 in settlement amounts (across 112 cases)
  • The average settlement amount is $2,188,243
  • The maximum average payout for plaintiffs is $5,000
  • $9,865,000 in penalties have been issued
  • The healthcare industry saw the highest volume of lawsuits filed–111 out of 521 attacks (21%)
  • Businesses were hit with the highest penalty amounts ($8.7 million) and settlement amounts ($168 million)
  • Most lawsuits are filed due to a data breach following the ransomware attack
  • 283,346,702 individual records are known to have been impacted in the ransomware attacks with lawsuits filed

Ransomware lawsuits by year

In recent years, the number of lawsuits filed following a ransomware attack has increased. This is particularly highlighted in 2022 when the number of confirmed attacks dropped significantly (from nearly 700 in 2021 to 445) but the percentage of lawsuits filed following these attacks increased (from 13 percent of cases in 2021 to 18 percent of cases in 2022). 18 percent of the ransomware attacks noted in 2023 also resulted in lawsuits. And, with many data breach notifications still being issued for 2023 attacks, this figure could likely increase.

When we look at the success of these lawsuits by year, we can also see a rise in the number of cases that are dismissed voluntarily by the plaintiff or are settled out of court. For example, in 2020, two out of 39 completed lawsuits (5 percent) were dismissed voluntarily, while this rose to 24 out of 31 (77 percent) in 2023.

With the rise in the number of lawsuits filed, settling out of court either through mediation or reaching an agreement directly with the plaintiff(s), will help speed things up and could reduce costs for the defendant.

In 2023, the average settlement peaked again at nearly $2.1 million, beaten only by 2020 with $4.1 million.

The top five biggest ransomware lawsuit settlements

According to the lawsuits where settlement figures are available, the top five are:

    1. Horizon Actuarial Services, LLC – $8.7 million: Horizon Actuarial Services proposed a settlement agreement of just over $8.7 million following its November 2021 ransomware attack. The settlement was approved by the court earlier this month and included 4.4 million class members. Class members can submit claims of up to $5,000 for out-of-pocket expenses arising from the data breach, plus up to $25 per hour of lost time (up to 5 hours).
    2. Accellion – $8.1 million: Up to $10,000 was made available for each class member in this proposed settlement from Accellion. This followed its data breach in December 2020 due to zero-day vulnerabilities in its File Transfer Appliance (FTA). The case featured 9.2 million class members.
    3. Orrick, Herrington & Sutcliffe – $8 million: Orrick, Herrington & Sutcliffe has just reached this settlement agreement following its ransomware attack in February 2023. It led to a breach of 637,620 records. Class members may claim up to $7,500 for ‘extraordinary’ losses and up to $2,500 for out-of-pocket expenses.
    4. Scripps Health – $6.7 million: Following its ransomware attack in May 2021, Scripps Health agreed to a $6.7 million settlement. Up to $7,500 was available to those who had ‘ordinary’ out-of-pocket expenses due to the attack or up to $1,000 for ‘extraordinary’ out-of-pocket expenses.
    5. Planned Parenthood LA – $6 million: A figure of $6 million has been preliminarily approved in the settlement agreement with Planned Parenthood LA following its October 2021 ransomware attack. Nearly 410,000 people were impacted in the data breach as a result of this attack. If approved in August, class members will be eligible for up to $10,000 for documented losses and/or out-of-pocket costs and $30 per hour for lost time (up to seven hours).

Ransomware lawsuits by industry

As previously mentioned, healthcare saw the highest percentage of lawsuits filed following ransomware attacks. Since 2018, 111 out of 521 attacks (21 percent) have seen lawsuits being filed. 43 percent have been successful–or 87 percent when including voluntary dismissals.

You’ll also note from the below table that the number of lawsuits filed and settlement amounts correspond with the number of records impacted in these attacks.

The education sector has the lowest success rate at just 20 percent but this increases significantly when considering voluntary dismissals (93 percent). Businesses have a higher success rate for lawsuits with 73 percent (or 90 percent including voluntary dismissals). Below, we can see how this changes by sub-industry.

Ransomware lawsuits by sub-industry

Construction and food and beverage lawsuits both have a 100 percent success rate. However, these sectors have seen fewer attacks and lawsuits filed. The utilities sector has only seen one successful lawsuit. This was the recent case against CommScope in which it has agreed to a settlement of $440,000. In contrast, three against Colonial Pipeline were dismissed in 2022.

The three lawsuits against Colonial Pipeline made various claims including negligence, improper safeguards, breach of public duty, and violations of consumer protection statutes, but the Federal Court in Georgia dismissed all of these.

The service, technology, and transportation industries have seen high lawsuit success rates. But the finance industry has seen the most lawsuits and, therefore, some of the highest settlement amounts. Like the high rate within the healthcare sector, this could be due to the sensitive nature of the data collected by finance organizations. This is highlighted in the Horizon Actuarial Services settlement mentioned above.

Data breaches are the main reason for ransomware lawsuit filings

One of the primary reasons for lawsuits being filed is data breaches. 283.3 million records were involved in the 355 attacks where lawsuits have been filed. These records account for around 80 percent of the records impacted across all confirmed ransomware attacks since 2018 (3,002 in total).

It’s perhaps no surprise then that some of the largest volumes of these breached records are in the healthcare (51 million) and finance sectors (41 million) where we’ve seen the most lawsuits being filed.

The technology industry has seen the most records impacted but the majority of these stem from the huge attacks on MOVEit, Blackbaud, Accellion, Fortra, LLC (GoAnywhere), and OneTouchPoint (OTP). All of these attacks led to multiple companies being affected and highlight the growing number of ransomware attacks that exploit unpatched software vulnerabilities.

Equally, out of the top 50 ransomware attacks since 2018 (based on records affected), 48 have seen lawsuits filed. The only ones that haven’t had lawsuits filed are the June 2021 attack against the University Medical Center of Southern Nevada and the recent attack against the VF Corporation. The latter is under investigation by several law firms, however, and due to the large volume of data involved (35.5 million), it’s highly likely we’ll see a number of lawsuits being filed in this case.

The future of lawsuits following ransomware

Data for 2024 is limited due to the time it takes for the breach notifications to be issued following ransomware attacks and to file a lawsuit. The data we’ve collated from the last few years suggests lawsuits are going to become even more common following such attacks.

However, as they continue to increase, it’s likely we’ll see more out-of-court settlements and voluntary dismissals in favor of quick resolutions and lower organizational costs.

Methodology & limitations

To establish how many ransomware attacks led to lawsuits, our team used our list of US ransomware attacks before searching each company individually to establish whether or not a lawsuit had been filed. The data is based on what we have collated from 2018 to March 2024.

Settlement costs – In cases where a settlement has been agreed but is awaiting final approval, the amount we’ve included is the maximum amount a company will face (the “cap”). Or, if only attorney fees are confirmed, settlement costs are estimated based on attorney fees where available. In the vast majority of cases, attorney fees account for 33.33% of overall settlement costs.

Lawsuit figures – In a number of cases, multiple lawsuits are filed but are subsequently consolidated. In these cases, we’ve classed the lawsuit as 1. For example, in the case of Fred Hutchinson Cancer Center, over half a dozen lawsuits were initially filed but these were consolidated into one (Doe v. Fred Hutchinson Cancer Center et al) so this is classed as 1 in our lawsuit figures.

Sources

https://pacer.gov

https://www.pacermonitor.com

https://www.classaction.org

https://topclassactions.com